11:04 AM
Underwriting Data Privacy Breach Coverage for SMBs
Three basic risk categories help to direct the underwriting of data privacy breach coverage. The first is industry type, which historically has been evaluated by looking through Standard Industrial Classification (SIC) or newer North American Industry Classification System (NAICS) codes, or in some cases leveraging other proprietary classifications and descriptions used by the insurer.
[Insurance companies see an opportunity in cyber insurance: Insurers Strategize To Improve Cyber Protection In 2014]
Industry types that have higher risks from a data breach standpoint are then flagged. The general rule is that if an industry is interacting with a fair amount of sensitive consumer information, then it is by default a higher risk. Business-to-business (B2B) firms in the majority of industries are lower risk than their business-to-consumer (B2C) counterparts, simply because they typically handle far less sensitive payment or consumer information. Companies that operate in the B2B realm may be higher risk if their role for their client businesses is around processing, storing, evaluating or in any way interacting with sensitive consumer information.
Industries that should be considered high risk generally fall into several broad areas. Financial services --banks, credit unions, investment firms, mortgage lenders -- focus largely on consumers, and are likely to have access to SSNs and identification data (such as driver's license numbers, etc.), along with the more obvious financial account numbers.
Businesses that regularly extend credit are also in the high-risk bucket. They will typically collect and/or store SSNs and other consumer data, and they cover a broad spectrum of industries from auto dealers to furniture stores, electronics retailers to cellular service providers.
Professional services may also be considered high risk, depending on the nature of profession and the type of data they're likely to handle. Various forms of information to be considered during underwriting may include medical data (personal health information covered by HIPAA), accounting data (payroll, corporate or personal tax information), and legal data (confidential or personally identifiable information about consumers, and intellectual property).
Another segment that may be overlooked depending on its size (which we'll cover later) is the retail sector, in particular online businesses and those retail transactions where the consumer's payment card isn't physically present during payment. The method for gathering and transmitting data during these transactions may put them into the high-risk category.
Size Matters
Size is another important consideration for underwriting, but it isn't always being optimally applied. Fortune 1000 companies and similar large entities typically carry higher risk from a total exposure perspective. They often deal with a large number of external partners (vendors, suppliers, etc.) and thus may have more avenues where a breach can occur. The recent Target exposure, where an HVAC contractor's network credentials were used by hackers to access tens of millions of payment card records, is a prime example of the risks inherent for many big companies.
However, large firms are also likely to have greater resources available to minimize their risk. They are often equipped to undergo the underwriting process and questionnaire, and will be scrutinized at various levels because they generally have the right departments and documentation available to verify that their risk management strategies are commensurate with the potential for exposure. They also tend to have more skin in the game, so to speak, as large organization-focused policies often have very high deductibles or self-insured retention levels, motivating these companies to minimize their risk exposures.
The Fortune 1000 sector is where many insurers focus their efforts, but that leaves a significant market in the cold. It's the small and mid-sized business sector where many underwriting misses are occurring, and that's unfortunate, because the vast majority of companies fall into this size category.
Smaller firms are perfect candidates for breach coverage solutions that leverage truly thoughtful underwriting. These are the companies most likely to rely on outside providers for their technology needs, from cloud services to information security management. They also heavily leverage external experts such as payroll and accounting contractors, along with outside legal counsel.
A lack of internal resources makes a large swath of SMBs less likely to be proactively prepared for a breach. They often have little or no data or systems back-up expertise, and any restoration solution they're likely to implement probably hasn't undergone sufficient testing. Incident planning is often completely overlooked, leading to poor breach response preparedness and planning.
Despite the lack of a strong data protection strategy, these smaller companies still sell products online, collect sensitive consumer data, and process financial transactions. Their premiums may be small, and in-depth underwriting often isn't seen as a good investment by carriers. But the market is vast, and by following a fairly simple triage analysis that doesn't discount exposure risk based on size alone, insurers may be able to sell better (and more) breach coverage that truly meets the needs of these smaller players.
Eduard Goodman is chief privacy officer for IDentity Theft 911.An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-09 section chairman of the bar's Internet, E-Commerce & Technology Law Section. He is a Certified Information Privacy Professional (CIPP) covering designations for both the U.S. and Canada.
[To learn more about how insurance companies are preparing for and responding to security incidents, attend the Acknowledge the Inevitable: How to Prepare For, Respond to, and Recover from a Security Incident session at Interop 2014 in Las Vegas, March 31-April 4.
You can also REGISTER FOR INTEROP HERE.]